* [PATCH v2] scm: fix possible control message header alignment issue
@ 2016-12-29 12:39 yuan linyu
2016-12-30 20:20 ` David Miller
0 siblings, 1 reply; 3+ messages in thread
From: yuan linyu @ 2016-12-29 12:39 UTC (permalink / raw)
To: netdev; +Cc: David S . Miller, yuan linyu
From: yuan linyu <Linyu.Yuan@alcatel-sbell.com.cn>
1. put_cmsg{_compat}() may copy data to user when buffer free space less than
control message header alignment size.
2. scm_detach_fds{_compat}() may calc wrong fdmax if control message header
have greater alignment size.
Signed-off-by: yuan linyu <Linyu.Yuan@alcatel-sbell.com.cn>
---
net/compat.c | 10 ++++++++--
net/core/scm.c | 8 +++++---
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/net/compat.c b/net/compat.c
index 96c544b..ffe7a04 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -245,7 +245,9 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
return -EFAULT;
- if (copy_to_user(CMSG_COMPAT_DATA(cm), data, cmlen - sizeof(struct compat_cmsghdr)))
+ if (cmlen > CMSG_COMPAT_ALIGN(sizeof(struct compat_cmsghdr)) &&
+ copy_to_user(CMSG_COMPAT_DATA(cm), data,
+ cmlen - CMSG_COMPAT_ALIGN(sizeof(struct compat_cmsghdr))))
return -EFAULT;
cmlen = CMSG_COMPAT_SPACE(len);
if (kmsg->msg_controllen < cmlen)
@@ -258,12 +260,16 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
{
struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
- int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
+ int fdmax = 0;
int fdnum = scm->fp->count;
struct file **fp = scm->fp->fp;
int __user *cmfptr;
int err = 0, i;
+ if (kmsg->msg_controllen > CMSG_COMPAT_ALIGN(sizeof(struct compat_cmsghdr)))
+ fdmax = (kmsg->msg_controllen -
+ CMSG_COMPAT_ALIGN(sizeof(struct compat_cmsghdr))) / sizeof(int);
+
if (fdnum < fdmax)
fdmax = fdnum;
diff --git a/net/core/scm.c b/net/core/scm.c
index d882043..b2e60fd 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -238,7 +238,9 @@ int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
err = -EFAULT;
if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
goto out;
- if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
+ if (cmlen > CMSG_ALIGN(sizeof(struct cmsghdr)) &&
+ copy_to_user(CMSG_DATA(cm), data,
+ cmlen - CMSG_ALIGN(sizeof(struct cmsghdr))))
goto out;
cmlen = CMSG_SPACE(len);
if (msg->msg_controllen < cmlen)
@@ -267,8 +269,8 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
return;
}
- if (msg->msg_controllen > sizeof(struct cmsghdr))
- fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr))
+ if (msg->msg_controllen > CMSG_ALIGN(sizeof(struct cmsghdr)))
+ fdmax = ((msg->msg_controllen - CMSG_ALIGN(sizeof(struct cmsghdr)))
/ sizeof(int));
if (fdnum < fdmax)
--
2.7.4
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH v2] scm: fix possible control message header alignment issue
2016-12-29 12:39 [PATCH v2] scm: fix possible control message header alignment issue yuan linyu
@ 2016-12-30 20:20 ` David Miller
2017-01-03 0:52 ` YUAN Linyu
0 siblings, 1 reply; 3+ messages in thread
From: David Miller @ 2016-12-30 20:20 UTC (permalink / raw)
To: cugyly; +Cc: netdev, Linyu.Yuan
From: yuan linyu <cugyly@163.com>
Date: Thu, 29 Dec 2016 20:39:32 +0800
> From: yuan linyu <Linyu.Yuan@alcatel-sbell.com.cn>
>
> 1. put_cmsg{_compat}() may copy data to user when buffer free space less than
> control message header alignment size.
> 2. scm_detach_fds{_compat}() may calc wrong fdmax if control message header
> have greater alignment size.
>
> Signed-off-by: yuan linyu <Linyu.Yuan@alcatel-sbell.com.cn>
But can this actually happen, in practice?
Take, for example, COMPAT_CMSG_DATA().
It aligns "struct compat_cmsghdr" to a multiple of a u32.
I cannot think of any possibly way that, on any architecture
whatsoever:
CMSG_COMPAT_ALIGN(sizeof(struct compat_cmsghdr))
evaludates to any value other than, exactly:
sizeof(struct compat_cmsghdr)
If you can come up with a case where this does happen in
practice, I will continue to consider this patch.
Otherwise, we should make the assumptions that exist explicit
and get rid of all of the code that does that funny alignment
upon the cmsghdr structure.
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread* RE: [PATCH v2] scm: fix possible control message header alignment issue
2016-12-30 20:20 ` David Miller
@ 2017-01-03 0:52 ` YUAN Linyu
0 siblings, 0 replies; 3+ messages in thread
From: YUAN Linyu @ 2017-01-03 0:52 UTC (permalink / raw)
To: David Miller; +Cc: netdev@vger.kernel.org, cugyly@163.com
> -----Original Message-----
> From: David Miller [mailto:davem@davemloft.net]
> Sent: Saturday, December 31, 2016 4:21 AM
> To: cugyly@163.com
> Cc: netdev@vger.kernel.org; YUAN Linyu
> Subject: Re: [PATCH v2] scm: fix possible control message header alignment
> issue
> If you can come up with a case where this does happen in
> practice, I will continue to consider this patch.
>
Yes, before send patch I also check two archs(arm-v7 and powerpc e6500), they are aligned.
No one report issue, I think cmsghdr aligned on all archs.
> Otherwise, we should make the assumptions that exist explicit
> and get rid of all of the code that does that funny alignment
> upon the cmsghdr structure.
>
Do you accept that I remove all CMSG{_COMPAT}_ALIGN of header ?
> Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-01-03 1:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-12-29 12:39 [PATCH v2] scm: fix possible control message header alignment issue yuan linyu
2016-12-30 20:20 ` David Miller
2017-01-03 0:52 ` YUAN Linyu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).